Bug 2297469 (CVE-2024-39497) - CVE-2024-39497 kernel: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)
Summary: CVE-2024-39497 kernel: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP...
Keywords:
Status: NEW
Alias: CVE-2024-39497
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-12 13:21 UTC by OSIDB Bzimport
Modified: 2024-07-15 15:55 UTC (History)
4 users (show)

Fixed In Version: kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-12 13:21:25 UTC
In the Linux kernel, the following vulnerability has been resolved:

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap
allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag
causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:
BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));

Return -EINVAL early if COW mapping is detected.

This bug affects all drm drivers using default shmem helpers.
It can be reproduced by this simple example:
void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);
ptr[0] = 0;


Note You need to log in before you can comment on or make changes to this bug.